Kyverno
Kyverno is the cluster policy engine for Lumie. The repo uses the upstream chart for the controllers and keeps the actual policy set in checked-in YAML files under security/kyverno/manifests/.
Responsibility
- Run the Kyverno admission, background, cleanup, and reports controllers.
- Mutate incoming pod specs where the checked-in policy set says to do so.
- Audit cluster resources against Lumie platform policies.
- Publish policy-controller metrics to Prometheus.
Source paths
| Path | Role |
|---|---|
lumie-infra/security/kyverno/argocd.yaml | ArgoCD Application targeting namespace kyverno |
lumie-infra/security/kyverno/helm-values.yaml | Controller images, resources, metrics, and cluster-wide filters |
lumie-infra/security/kyverno/kustomization.yaml | Adds the local policy files on top of the chart |
lumie-infra/security/kyverno/manifests/policies/require-zot-registry.yaml | Audit policy for image provenance |
lumie-infra/security/kyverno/manifests/policies/require-security-context.yaml | Audit policy for non-root and privilege settings |
lumie-infra/security/kyverno/manifests/policies/require-resource-limits.yaml | Audit policy for memory and CPU requests and no CPU limits |
lumie-infra/security/kyverno/manifests/policies/require-goldilocks-label.yaml | Background audit for namespace Goldilocks labeling |
lumie-infra/security/kyverno/manifests/policies/remove-cpu-limits.yaml | Admission-time mutation that removes CPU limits from pods |
lumie-infra/security/kyverno/manifests/policy-exceptions.yaml | Explicit carve-outs for bootstrap namespaces, Falco, Tekton DinD, and CNPG |
Policy surface
The checked-in policies are intentionally conservative:
- every validation policy in this folder uses
validationFailureAction: Audit; require-goldilocks-labelruns in background-only mode withadmission: false;remove-cpu-limitsis the only checked-in mutate rule and runs only on admission, not background reconciliation.
That means the current Kyverno contract is mostly visibility and normalization, not hard blocking.
Runtime flow
Important implementation details
- Helm is configured with
crds.install: false. The repo expects Kyverno CRDs to exist already and documents manual CRD installation in the values file comments. - The chart excludes system namespaces and high-churn resource kinds through
config.resourceFilters. - Each controller has its own
ServiceMonitor, so Prometheus scrapes controller metrics separately.
Failure behavior and operational risks
- Missing CRDs or a CRD/version mismatch can leave the ArgoCD app synced but the policy objects un-applied or skipped at dry-run time.
- Because validation is audit-only, policy violations can still be admitted and only show up later in reports.
- The
PolicyExceptionobjects are broad by design in a few cases, especially the Tekton DinD exception, so review them carefully before adding more carve-outs. - The image-registry policy checks only containers and init containers and uses namespace exclusions; bootstrap namespaces remain outside the guarantee.
Observability
- Kyverno exposes metrics from the admission, background, cleanup, and reports controllers through
ServiceMonitorobjects. - Policy effectiveness is visible through Kyverno reports and controller logs.
- ArgoCD health confirms controller availability, not policy correctness.
Verification
kubectl get applications.argoproj.io -n argocd kyverno
kubectl get deploy,pods -n kyverno -l app.kubernetes.io/instance=kyverno
kubectl get clusterpolicy
kubectl get policyexception -n kyverno
kubectl logs -n kyverno -l app.kubernetes.io/instance=kyverno --all-containers --tail=200
Success signals:
- The
kyvernoArgo CD application isHealthyandSynced. - The Kyverno namespace shows the controller deployments expected by the chart: admission, background, cleanup, and reports.
kubectl get clusterpolicyreturns the checked-in audit and mutate policies instead of failing from missing CRDs.kubectl get policyexception -n kyvernoreturns the checked-in carve-outs for bootstrap, Falco, Tekton DinD, and CNPG.